Information Governance

Peter McKenzie

Information Governance Manager

NHS Tayside

informationgovernance.tayside@nhs.net

Caldicott Approval

The Caldicott Guardian has a responsibility to review and monitor all flows of information in NHS Tayside and all transfers of data outside of the organisation.

Approval must be sought when creating an information sharing protocol to share patient

identifiable information (PII) with another organisation proposals for research projects that will use PII collecting PII for the purposes of creating a new database

GP/practice nurseWalk-in centre

Health Care Guides

Visited at home

Online Services Dentist

Lab.Services

Out of Hours and Direct

Calls

A&E

Pharmacy

Out Patients

Inpatient

Boards

Caldicott Coverage

Caldicott Approval – to cover…

research where data is used for any living patient (this also includes images, videos, charts etc).

all use of NHS patient data even if you consider the data being held to be non-identifiable data. it is the responsibility of the Caldicott Guardian to

review the use of all data and determine if it is appropriately anonymised to ensure that this it non-identifiable.

if identifiable data is to be used then you must be able to justify the requirement for use of this data.

all databases created for the purposes of research to hold patient identifiable data must also be registered for data protection purposes

Caldicott Principles

Justify the purpose for using person identifiable information (PII)

Only use PII when absolutely necessary

Use only the minimum PII required

Access is on a strict “need to know” basis

Everyone must be aware of their responsibilities

You must comply with the law

Caldicott Principles and Data Protection

DP1 Fair & Lawful

DP2 Specific

Purposes

DP3 Adequate, Relevant and Not

Excessive

DP4 Accurate

DP5 Retention

DP6 Individual's Rights

DP7 Held & Used

Securely

DP8 Safe Non-

EEA Transfers

C1 Justify the Purpose C2 Necessary C3 Minimum C4 “Need to Know” C5 Responsibilities C6 Comply with Law

Caldicott Requirements

The Caldicott Guardian has to ensure that proposals comply with Caldicott Principles and that the technical and operational arrangements that are proposed will safeguard the information to be provided:

the justification for using PII? – linkage, other data sets what that data is? – data items physical or electronic where you will get the data from? – collected, manually or

electronically extracted is data to be collected from more than one source?

Caldicott Requirements

how you will get that data? – encrypted transfer, email who will provide you with the data? – an authorised

administrator, self, colleague, service who will have access to the data? – co-users, data entry,

processors how you intend to protect the data given to you? –

anonymisation, encryption, retention if individuals are to be contacted who will do that and how

will that be done? – GP, responsible medical officer, researcher

Researcher

NHS Tayside SystemsCentral VisionTOPASMiDiS

Health Informatics

Centre

NHS Generic Caldicott Approval

If the study is limited to: a) using electronic data already held within, or accessed via HIC and will be undertaken using anonymised data or b) also includes data collected directly from a patient who has explicitly consented to its use for this research and it is anonymously linked to other electronic data held within, or accessed via, HIC

…the study will not require explicit Caldicott Guardian approval.

The researcher will have no access to any identifiable data.

Any request for identifiable data will require specific Caldicott approval.

Request for Anonymous Data

Request for Identifiable Data

Researcher

Caldicott Approval

Caldicott Arrangements - HIC

Live NHS Tayside Systeme.g. Central Vision

System Administrator

Where a study relies on electronic data already held in an NHS Tayside clinical information system then Caldicott Guardian approval is required.

Access to systems requires the identification of the person accessing data to be recorded by means of a transaction log.

Such logs are essential evidence of legitimate (in this case approved) access and form part of the person’s personal data. These records will be disclosed as part of any subject access request and any investigation of activity around patient’s records.

The researcher will normally have no access to any identifiable data unless specific approval has been given.

Request for Identifiable or

Anonymous Data

Researcher

Caldicott Approval

Caldicott Arrangements - Clinical Systems

Caldicott Approval

Caldicott Approval is concerned with:

controlling access to patient identifiable information

ensuring that adequate operational data handling arrangements are in place that clearly establish responsibilities

ensuring that adequate technical data handling arrangements are in place to safeguard the data

maintaining the trust and reassurance of patients in our handling of their personal data

Information Governance

Peter McKenzie

Information Governance Manager

NHS Tayside

informationgovernance.tayside@nhs.net